Achieving PCI Compliance for servers managed by Plesk 9.5
* Securing Linux Servers
You first need to run the PCI Compliance Resolver utility available from the Parallels Plesk Panel installation directory.
It will disable weak SSL ciphers and protocols for Web and e-mail servers operated by Parallels Plesk Panel.
/usr/local/psa/admin/bin/pci_compliance_resolver—enable all (The option “—enable all” switches off weak SSL ciphers and protocols for Web and e-mail servers)
Some PCI compliance scanners may require that the medium strength SSL ciphers for access to the Panel be also switched off.
For this reason, after you have run the utility, you need to modify a configuration file that was created by it.
1. Open for editing the file /usr/local/psa/admin/conf/cipher.lst.
2. Remove all lines from the file.
3. Insert the following line:
Securing Servers in Compliance with PCI Data Security Standard 7
ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5
4. Save the file.
5. Restart the Web server: On Linux systems, issue the command /etc/init.d/sw-cp-server restart.
Now you need to switch off weak SSL ciphers for connections to Qmail e-mail server.
If you use Qmail mail server, issue the following commands at the prompt:
On Linux systems: echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+ HIGH:+MEDIUM' > /var/qmail/control/tlsserverciphers echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+ HIGH:+MEDIUM' > /var/qmail/control/tlsclientciphers
You also need to prohibit access to MySQL database server from external addresses. To do this, in a firewall that protects your Panel-managed server, add or enable a rule that prohibits TCP and UDP connections to the port 3306 from all addresses except 127.0.0.1.
* To conceal the version of DNS server from potential attackers, do the following:
1. Open for editing the DNS server’s configuration file named.conf. On Linux systems, it is located in /etc/.
2. Locate the options {} section, and add the version “none” line there.
3. Restart the named service:
- On RPM package-based systems, issue the command /etc/init.d/named restart
* To conceal the version of the Apache Web server from potential attackers, do the following:
1. Open for editing the Web server’s configuration file.
at /etc/httpd/conf/httpd.conf.
2. Add the following lines:
ServerTokens ProductOnly
TraceEnable OFF
3. Save the file.
4. Restart the Web server.
Results 1 to 6 of 6
-
15-07-2010, 21:31 #1
System Administrator(eUKhost.com)
- Join Date
- Oct 2006
- Posts
- 335
Achieving PCI Compliance for servers managed by Plesk 9.5
-
17-07-2010, 22:04 #2
new member
- Join Date
- Jul 2010
- Posts
- 4
Nice one, very helpful
The cipher file you refere to isn't there on my system (ubuntu, Plesk 9.5.2) for some reason.
I'll have a look around.
Thanks once again
Lloyd
(linux noob)
-
20-07-2010, 13:43 #3
Technical Support (eUKhost.com)
- Join Date
- Oct 2006
- Location
- localhost
- Posts
- 3,375
Hi Lloyd,
Originally Posted by lloyd-d
Nice one, very helpful
The cipher file you refere to isn't there on my system (ubuntu, Plesk 9.5.2) for some reason.
I'll have a look around.
Thanks once again
Lloyd
(linux noob)
Welcome to Eukhost community forums
You can try creating the file manually using the following command:Let us know how that goes or if you find any other relevant solutionCode:echo /var/qmail/control/tlsclientciphers
Rock _a.k.a._ Jack
Windows Hosting || Windows Reseller Hosting
Cloud Hosting || Powerful Dedicated Servers
Follow eUKhost on Twitter || Join eUKhost Community on Facebook
For complaints, grievances or suggestions kindly email our FeedBack Dept.
Proper action will be taken accordingly & instantaneously!
-
20-07-2010, 14:51 #4
new member
- Join Date
- Jul 2010
- Posts
- 4
Ok will try that, thanks.
What would I put in the file once created? the same as in the cipher.list?
Thanks for all your helpSecuring Servers in Compliance with PCI Data Security Standard 7
ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5
Kind regards
Lloyd
-
20-07-2010, 15:50 #5
Technical Support (eUKhost.com)
- Join Date
- Oct 2006
- Location
- localhost
- Posts
- 3,375
You're welcome Lloyd.. yes you need to enter that info in the newly created file Originally Posted by lloyd-d
Ok will try that, thanks.
What would I put in the file once created? the same as in the cipher.list?
Thanks for all your help
Kind regards
Lloyd
Rock _a.k.a._ Jack
Windows Hosting || Windows Reseller Hosting
Cloud Hosting || Powerful Dedicated Servers
Follow eUKhost on Twitter || Join eUKhost Community on Facebook
For complaints, grievances or suggestions kindly email our FeedBack Dept.
Proper action will be taken accordingly & instantaneously!
-
21-07-2010, 10:56 #6
new member
- Join Date
- Jul 2010
- Posts
- 4
Sweet, got rid of most of my security warnings, still a few holes thouugh
I did openssl ciphers -v
And it seems I still have medium strength ciphers (see attachment) is there a command I can issue to turn off medium ciphers?
Thanks for all your help
Kind regards
Lloyd
Reply With Quote
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- Need Help ?
- Client Area
- Sitemap
- Help Center
- Tutorials
- Testimonials
- Legal Information
- Terms of Service
- Service Level Agreement
- Privacy Policy
- Billing Policies
- VPS Rules & Guidelines
- Resources
- Web Hosting Forum
- Web Hosting Blog
- Knowledgebase
- PARTNERS
- Affiliate Program
Copyright © 2001-2012, eUKhost LTD. All rights reserved.
0808 262 0255 | Stay Connected
